Is password security a threat to your business? In 2013, companies like Adobe, MacRumors, GitHub, Cupid Media, vBulletin and more have endured cyber attacks which have resulted in millions of private user passwords being harvested by hackers (Fontana, 2013 & Krebs, 2013). These companies are not the first to suffer such attacks nor are they likely to be the last. The only way to stop this is to become educated about security and hacking. We need to be wiser and one step ahead of the game if we are going to protect our digital investments.
Are You Increasing The Likelihood Of An Attack
Each time someone signs into your website you may be increasing the likelihood of an attack. Brute force attacks are one of the main ways that hackers gain access into your site. Common user names, such as ‘Admin’, and simple passwords are the main reason for this type of breach.
As unfortunate as hacks like these are they can be avoided. Using security plugins, taking a few extra steps to create an ironclad password, and keeping your site and plugins updated is all it takes. Don’t let the time and money you have spent on your business be compromised by someone’s joyride. Taking the right precautions will not only protect you, but hopefully help to shut down hackers.
For as long as the Internet has been around, it seems like weak passwords have been an invitation for hackers to deface sites and steal personal data. The rest of this article outlines specific ways that you can protect your website. There is no time like today. Remember, it is only one breach that can destroy all of your hard work.
Steps to protecting your website:
1. Never use the same password for more than one account.
One of the biggest problems that many people make is that they use the same password for multiple accounts. The main reason for this is because they worry that they will forget their password. It is self serving, while at the same time putting your resources at great risk. It is not hard for a hacker to figure out which accounts you have and with the same password and username you have just given them instant access.
Furthermore, site security is not solely for your own purpose. You have a responsibility to protect your visitors as well. Each time a hacker gains access to one of your websites your customer data becomes vulnerable to theft and further abuse.
Just take a looks at what Patrick Thomas, a Security Consultant for Neohapsis had to say…
“It has become exceedingly clear over the last several years that password reuse is one of the most significant threats to average internet users…using the same password on multiple sites risks exposing that password if any sites are breached; the excellent security of one site is entirely nullified if attackers can harvest the correct password from a breach of a less secure site…most internet users will be far better off using random, unique passwords simply writing them down, or taking advantage of password vault programs that help generate and store passwords.” via GitHub, Cupid Media Address Password Security After Breaches …
2. Ensure that all staff are practicing password security.
It is your responsibility to make sure that all staff members are practicing password security. This of course includes adequate training, updates on security threats, and ongoing monitoring to ensure that there are no weaknesses in your digital infrastructure.
MacRumors recent attack was through the vBulletin platform, which was being used on their website. That site’s owner, Arnold Kim, had this to say about how hackers were able to gain access…
“In VB3, moderators can post ‘announcements’ in the forum, and by default announcements allow HTML,” Kim explained. “The hacker or hackers were able to somehow get a moderator’s login password, and used that to embed Javascript in an announcement and waited for an administrator to load that page. Once that happened, the Javascript installed a plugin in the background that allowed [the attackers] to execute PHP scripts.” via vBulletin Breach Prompts Password Reset — Krebs on Security
3. Forget about trying to remember passwords.
Easy to remember passwords are often also common passwords. Hackers are aware of this and therefore embed code in bots that automate the process of entering these common terms in the login fields. Alarmingly, many of the bots are able to gain access into sites for this reason.
Complex passwords include a mixture of symbols, numbers, and letters in both upper and lowercase. Longer passwords with this combination are nearly impossible to penetrate. Make sure to ensure that subscribers to your site also practice these protocols. The best way to do this is to have a system in place that gives the subscriber their password via email rather than letting them choose it for themselves. If this is not an option, then put in place requirements that are clearly outlined on your website and explain to your subscribers the downside of easy to remember passwords.
That need to remember, of course, is the problem. It’s not as if nearly two million Adobe users chose “123456” because they thought it would be hard for someone else to crack. No, I suspect they chose it precisely because it would be easy to remember. We’re asked for passwords on nearly every website now. Having a different, hard-to-crack password for each of them is a nightmare. via Adobe’s Security Breach Shows Why Two-Factor Authentication Is …
4. Use a password generator to create your passwords.
Making use of a password generator and storage service can solve the issue of having to remember several passwords, as well as, the challenge of creating a unique password every time. There are a number of reputable companies that offer this service for free. For example, lastpass.com. You can generate passwords, store notes, save url’s with an autofill option when you visit that site and even share url logins with team members.
For those not interested in an automated password generator, here’s a cool tip for setting up your own system…
Avery Warren, in a recent article on NetworkWorld.com, suggests using 7-9 characters consisting of upper and lowercase letters, numbers, as well as, special characters. Here’s how he said you could set it up so you could create something unique, hard to hack, but yet easy to remember.
“For example [take], the airport code for Phoenix, AZ is ‘PHX’ and a date [you] remember [like] the day JFK was assassinated, 11-22-1963. …PHX becomes PhX, and with 11-22-1963 you can substitute ! for the 1s and the # (shift 3) for the number 3. That results in a base password of PhX!!22!96# Now…develop a schema for any password site name. For example Google Gmail could become gml or gglgml, making my password for Google Gmail PhX!!2!!96#gml or PhX!!2!!96#gglgml” (Warren, 2013).
Tips Beyond Password Security
1. Always protect your customer data.
Customers have entrusted you with their personal information. It is your responsibility to go beyond just password security. You need to include regular scans of files, monitoring of data, and ensuring that all of your plugins are up-to-date. Become educated and subscribe to practices that protect all aspects of your business.
2. Never disclose password details through non-encrypted means.
Password details should never be provided through, chat, phone, text files or email. The only secure means of sending a password is through an automated system that encrypts the data. While most systems do send forgotten passwords via email it is your responsibility to ensure that you use a secure email service and never give someone else your login credentials.
3. Use tools to secure and scan your site regularly.
Software, such as our SecureScanPro, was created for this exact reason. It scans all of the files on your website, including the core WordPress files, and fixes the most common known security issues with the click of a button. You also have the ability to set up the frequency of scanning and how you are notified of a potential breach to your site. Click here to learn more about this software.
Education And Awareness
Website hacking and security risks are on the rise. This is not a problem that is going away any time soon – if ever. It is therefore imperative that you educate yourself and become aware of known threats and vulnerabilities. But most importantly, you must act accordingly.
Use unique, strong passwords, encrypt your user data and regularly scan your site for security issues. Put in place these practices as outlined here and visit our blog regularly for more tips and news on security threats. Remember there is no time like the present to begin protecting your website. It only takes one breach to put you out of business. Take the time and make the necessary changes today.
References
Fontana, John. (2013). GitHub hardens defenses in wake of password attack. ZDNet.com. http://www.zdnet.com/github-hardens-defenses-in-wake-of-password-attack-7000023528/
Krebs, Brian. (2013). Cupid Media Hack Exposed 42M Passwords. Krebsonsecurity.com. http://krebsonsecurity.com/2013/11/cupid-media-hack-exposed-42m-passwords/
Krebs, Brian. (2013). vBulletin Breach Prompts Password Reset. Krebsonsecurity.com. http://krebsonsecurity.com/2013/11/vbulletin-breach-prompts-password-reset/
Warren, Avery. (2013). How to secure passwords and other critical numbers. NetworkWorld.com. http://www.networkworld.com/news/tech/2013/112513-secure-passwords-276335.html